DEBIAN-CVE-2023-23915

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2023-23915

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-23915.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-23915

Upstream

CVE-2023-23915

Published

2023-02-23T20:15:13Z

Modified

2025-09-19T06:08:10Z

Summary

[none]

Details

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

References

https://security-tracker.debian.org/tracker/CVE-2023-23915

Affected packages

Debian:12 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.88.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.88.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.88.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}